[kbutler]

And the assertion that "an attacker with access to the computer could have enabled it to record what a user was typing" is somewhat silly.

If the attacker has access to the computer, why not install some other key logger that would send info to the attacker's site?

[julianj]

I agree that the someone having access to run arbitrary code on a machine is a much bigger deal. In this case, the difference between this debugging feature and an installed keylogger is the use of trusted software to perform the keylogging. When the mictray issue came out earlier this year, I ran across a blog post you may find interesting [1]. To summarize, the author repurposed the HP executable to log keys to a remote server using webdav.

[1] https://diablohorn.com/2017/05/12/repurposing-the-hp-audio-k...

[kbutler]

Thanks, Julian - that was interesting. The redirecting of the keylog to a webdav destination lets the key logging happen to a remote server, without installing any untrusted software, and with no user UI-level exposure.

[Someone1234]

Claiming that an attacker would use this is nonsensical.

You need write access HKLM in order to change the registry key, if you have write access to HKLM you can inject your own driver (inc. keylogger) into the OS.

Plus the keypresses are context-less (i.e. you don't know what application, or window the keypress was sent to). A continuous stream of keypresses with no context is darn near useless, it doesn't even contain timestamps!

Any number of off-the-shelf keyloggers would do a far better job, all of which can be auto-loaded if you have HKLM write access. They'll even tell you the exact web page a keypress was sent to and manage the job of sending that information to you...

[acdha]

Those off the shelf keyloggers world be detected by security software, however, whereas something signed by the vendor is going to be whitelisted. I still wouldn’t say this is a huge sign of malice but it’s definitely open for creative misuse.

[_Codemonkeyism]

www.facebook.com<return> stephan<tab>123abc

doesn't seem useless to me.

[skocznymroczny]

A person that knows that you can use tab to jump between form fields probably uses a password manager anyway.

[user5994461]

You only need a powered user to modify HKLM. It's a group between users and administrators, not often used or known.

[icebraining]

Or as Raymond Chen is fond of saying (citing from the Hitchhikers Guide), "It rather involved being on the other side of this airtight hatchway".

[sandworm101]

>> why not install some other key logger that would send info to the attacker's site?

Because one would assume that this software/driver has been signed and would not be recognized as evil by any protection system, at least not one on the laptop.

[jgalt212]

and get their ssh keys while you're at it.